Fix the following issues mentioned in Pixel SBOM review.
1) PackageSupplier should be NOASSERTION if there is no homepage
information in METADATA file of source packages
2) PackageDownloadLocation of upstream packages should be NOASSERTION if
there is no code repository URL in METADATA file of source packages
Test: CIs
Test: atest --host sbom_writers_test
Change-Id: I8a0298b7bacc2f96555f9d7dde0d21ada8c6b564
diff --git a/tools/sbom/generate-sbom.py b/tools/sbom/generate-sbom.py
index 0c5deb2..192061e 100755
--- a/tools/sbom/generate-sbom.py
+++ b/tools/sbom/generate-sbom.py
@@ -279,12 +279,13 @@
name, external_refs = get_source_package_info(installed_file_metadata, metadata_file_path)
source_package_id = new_package_id(name, PKG_SOURCE)
source_package = sbom_data.Package(id=source_package_id, name=name, version=args.build_version,
+ download_location=sbom_data.VALUE_NONE,
supplier='Organization: ' + args.product_mfr,
external_refs=external_refs)
upstream_package_id = new_package_id(name, PKG_UPSTREAM)
upstream_package = sbom_data.Package(id=upstream_package_id, name=name, version=version,
- supplier='Organization: ' + homepage if homepage else None,
+ supplier=('Organization: ' + homepage) if homepage else sbom_data.VALUE_NOASSERTION,
download_location=download_location)
packages += [source_package, upstream_package]
relationships.append(sbom_data.Relationship(id1=source_package_id,
@@ -296,6 +297,7 @@
prebuilt_package_id = new_package_id(name, PKG_PREBUILT)
prebuilt_package = sbom_data.Package(id=prebuilt_package_id,
name=name,
+ download_location=sbom_data.VALUE_NONE,
version=args.build_version,
supplier='Organization: ' + args.product_mfr)
packages.append(prebuilt_package)
@@ -438,6 +440,7 @@
product_package = sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
name=sbom_data.PACKAGE_NAME_PRODUCT,
+ download_location=sbom_data.VALUE_NONE,
version=args.build_version,
supplier='Organization: ' + args.product_mfr,
files_analyzed=True)
@@ -445,6 +448,7 @@
doc.packages.append(sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
name=sbom_data.PACKAGE_NAME_PLATFORM,
+ download_location=sbom_data.VALUE_NONE,
version=args.build_version,
supplier='Organization: ' + args.product_mfr))
diff --git a/tools/sbom/sbom_data.py b/tools/sbom/sbom_data.py
index 0c380f6..d2ef48d 100644
--- a/tools/sbom/sbom_data.py
+++ b/tools/sbom/sbom_data.py
@@ -33,6 +33,9 @@
PACKAGE_NAME_PRODUCT = 'PRODUCT'
PACKAGE_NAME_PLATFORM = 'PLATFORM'
+VALUE_NOASSERTION = 'NOASSERTION'
+VALUE_NONE = 'NONE'
+
class PackageExternalRefCategory:
SECURITY = 'SECURITY'
diff --git a/tools/sbom/sbom_writers.py b/tools/sbom/sbom_writers.py
index 66aa6b4..b1c66c5 100644
--- a/tools/sbom/sbom_writers.py
+++ b/tools/sbom/sbom_writers.py
@@ -86,7 +86,7 @@
@staticmethod
def marshal_package(package):
- download_location = 'NONE'
+ download_location = sbom_data.VALUE_NOASSERTION
if package.download_location:
download_location = package.download_location
tagvalues = [
@@ -296,7 +296,7 @@
package = {
PropNames.NAME: p.name,
PropNames.SPDXID: p.id,
- PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else 'NONE',
+ PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else sbom_data.VALUE_NOASSERTION,
PropNames.FILES_ANALYZED: p.files_analyzed
}
if p.version:
diff --git a/tools/sbom/sbom_writers_test.py b/tools/sbom/sbom_writers_test.py
index 4db2bb7..361dae6 100644
--- a/tools/sbom/sbom_writers_test.py
+++ b/tools/sbom/sbom_writers_test.py
@@ -49,6 +49,7 @@
self.sbom_doc.add_package(
sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
name=sbom_data.PACKAGE_NAME_PRODUCT,
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
files_analyzed=True,
@@ -58,6 +59,7 @@
self.sbom_doc.add_package(
sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
name=sbom_data.PACKAGE_NAME_PLATFORM,
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
))
@@ -65,6 +67,7 @@
self.sbom_doc.add_package(
sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
name='Prebuilt package1',
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
))
@@ -72,6 +75,7 @@
self.sbom_doc.add_package(
sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
name='Source package1',
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
external_refs=[sbom_data.PackageExternalRef(
@@ -121,6 +125,7 @@
self.unbundled_sbom_doc.add_package(
sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
name='Unbundled apk package',
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT))
self.unbundled_sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
diff --git a/tools/sbom/testdata/expected_json_sbom.spdx.json b/tools/sbom/testdata/expected_json_sbom.spdx.json
index 628615f..32715a5 100644
--- a/tools/sbom/testdata/expected_json_sbom.spdx.json
+++ b/tools/sbom/testdata/expected_json_sbom.spdx.json
@@ -74,7 +74,7 @@
{
"name": "Upstream package1",
"SPDXID": "SPDXRef-UPSTREAM-package1",
- "downloadLocation": "NONE",
+ "downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"versionInfo": "1.1",
"supplier": "Organization: upstream"
diff --git a/tools/sbom/testdata/expected_tagvalue_sbom.spdx b/tools/sbom/testdata/expected_tagvalue_sbom.spdx
index 0f1c6f8..ee39e82 100644
--- a/tools/sbom/testdata/expected_tagvalue_sbom.spdx
+++ b/tools/sbom/testdata/expected_tagvalue_sbom.spdx
@@ -53,7 +53,7 @@
PackageName: Upstream package1
SPDXID: SPDXRef-UPSTREAM-package1
-PackageDownloadLocation: NONE
+PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageVersion: 1.1
PackageSupplier: Organization: upstream